Prevent misconfigurations with Enforce/Deny recommendations
Security misconfigurations are a major cause of security incidents. Defender for Cloud can help prevent misconfigurations of new resources with regard to specific recommendations.
This feature can help keep your workloads secure and stabilize your secure score.
Enforcing a secure configuration, based on a specific recommendation, is offered in two modes:
- Using the Deny effect of Azure Policy, you can stop unhealthy resources from being created
- Using the Enforce option, you can take advantage of Azure Policy's DeployIfNotExist effect and automatically remediate non-compliant resources upon creation
This can be found at the top of the resource details page for selected security recommendations (see Recommendations with deny/enforce options).
Prevent resource creation
Open the recommendation that your new resources must satisfy, and select the Deny button at the top of the page.
The configuration pane opens listing the scope options.
Set the scope by selecting the relevant subscription or management group.
You can use the three dots at the end of the row to change a single subscription, or use the checkboxes to select multiple subscriptions or groups then select Change to Deny.
Enforce a secure configuration
Open the recommendation that you'll deploy a template deployment for if new resources don't satisfy it, and select the Enforce button at the top of the page.
The configuration pane opens with all of the policy configuration options.
Set the scope, assignment name, and other relevant options.
Select Review + create.
Recommendations with deny/enforce options
These recommendations can be used with the deny option:
- [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- [Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
- [Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
- [Enable if required] Container registries should be encrypted with a customer-managed key (CMK)
- Access to storage accounts with firewall and virtual network configurations should be restricted
- Automation account variables should be encrypted
- Azure Cache for Redis should reside within a virtual network
- Azure Spring Cloud should use network injection
- Container CPU and memory limits should be enforced
- Container images should be deployed from trusted registries only
- Container with privilege escalation should be avoided
- Containers sharing sensitive host namespaces should be avoided
- Containers should only use allowed AppArmor profiles
- Immutable (read-only) root filesystem should be enforced for containers
- Key Vault keys should have an expiration date
- Key Vault secrets should have an expiration date
- Key vaults should have purge protection enabled
- Key vaults should have soft delete enabled
- Least privileged Linux capabilities should be enforced for containers
- Privileged containers should be avoided
- Redis Cache should allow access only via SSL
- Running containers as root user should be avoided
- Secure transfer to storage accounts should be enabled
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Service Fabric clusters should only use Azure Active Directory for client authentication
- Services should listen on allowed ports only
- Storage account public access should be disallowed
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should restrict network access using virtual network rules
- Usage of host networking and ports should be restricted
- Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
- Validity period of certificates stored in Azure Key Vault should not exceed 12 months
- Virtual machines should be migrated to new Azure Resource Manager resources
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
These recommendations can be used with the enforce option:
- Auditing on SQL server should be enabled
- Azure Arc-enabled Kubernetes clusters should have Microsoft Defender for Cloud's extension installed
- Azure Backup should be enabled for virtual machines
- Microsoft Defender for App Service should be enabled
- Microsoft Defender for container registries should be enabled
- Microsoft Defender for DNS should be enabled
- Microsoft Defender for Key Vault should be enabled
- Microsoft Defender for Kubernetes should be enabled
- Microsoft Defender for Resource Manager should be enabled
- Microsoft Defender for Servers should be enabled
- Microsoft Defender for Azure SQL Database servers should be enabled
- Microsoft Defender for SQL servers on machines should be enabled
- Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers
- Microsoft Defender for Storage should be enabled
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Diagnostic logs in Azure Stream Analytics should be enabled
- Diagnostic logs in Batch accounts should be enabled
- Diagnostic logs in Data Lake Analytics should be enabled
- Diagnostic logs in Event Hub should be enabled
- Diagnostic logs in Key Vault should be enabled
- Diagnostic logs in Logic Apps should be enabled
- Diagnostic logs in Search services should be enabled
- Diagnostic logs in Service Bus should be enabled
Submit and view feedback for